Policy

Enable Microsoft Entra ID Authentication Enforcement

This policy setting allows you to specify whether to require server-side enforcement of Microsoft Entra ID authentication. If you enable this policy setting, all Remote Desktop Services clients must use RDS AAD Auth in order to authenticate to RD Session Host servers. This policy does not allow fallback to other authentication methods. Network Level Authentication (NLA) is required to be enabled in order for this policy to be effective. Refer to the "Require user authentication for remote connections by using Network Level Authentication" policy. If you disable or do not configure this policy setting, then Microsoft Entra ID Authentication Enforcement is not enforced.

Policy
PackMicrosoft Windows
CategoryWindows Components / Remote Desktop Services / Remote Desktop Session Host / Security
Policy IDd33193a0b6e0
Internal nameTS_MICROSOFT_ENTRA_ID_AUTHENTICATION_ENFORCEMENT_POLICY

Registry

Copy registry mappings

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\EnableMicrosoftEntraIdAuthenticationEnforcement (enabled) = 1
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\EnableMicrosoftEntraIdAuthenticationEnforcement (disabled) = 0

Policy notes

This policy setting allows you to specify whether to require server-side enforcement of Microsoft Entra ID authentication. If you enable this policy setting, all Remote Desktop Services clients must use RDS AAD Auth in order to authenticate to RD Session Host servers. This policy does not allow fallback to other authentication methods. Network Level Authentication (NLA) is required to be enabled in order for this policy to be effective. Refer to the "Require user authentication for remote connections by using Network Level Authentication" policy. If you disable or do not configure this policy setting, then Microsoft Entra ID Authentication Enforcement is not enforced.

Related policies